freebsd-security Digest, Vol 371, Issue 1

Kapil Jain kapil at sh3lls.net
Mon May 2 13:32:19 UTC 2011 

Try to change port for pop3 use some weired port, and specify that port in your gmail account for fetching, it's not full proof but it might work for you


Kapil Jain
Sent from my iPad

On 02-May-2011, at 5:30 PM, freebsd-security-request at freebsd.org wrote:

> Send freebsd-security mailing list submissions to
>    freebsd-security at freebsd.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>    http://lists.freebsd.org/mailman/listinfo/freebsd-security
> or, via email, send a message with subject or body 'help' to
>    freebsd-security-request at freebsd.org
> 
> You can reach the person managing the list at
>    freebsd-security-owner at freebsd.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of freebsd-security digest..."
> 
> 
> Today's Topics:
> 
>   1. limiting pop access to gmail servers ? (George Sanders)
>   2. Re: limiting pop access to gmail servers ? (Patrick Proniewski)
>   3. Re: limiting pop access to gmail servers ? (Gleb Kurtsou)
>   4. Re: limiting pop access to gmail servers ? (cronfy)
>   5. Re: limiting pop access to gmail servers ?
>      (freebsd-lists at albury.net.au)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sun, 1 May 2011 15:55:25 -0700 (PDT)
> From: George Sanders <gosand1982 at yahoo.com>
> Subject: limiting pop access to gmail servers ?
> To: freebsd-security at freebsd.org
> Message-ID: <349555.87646.qm at web120019.mail.ne1.yahoo.com>
> Content-Type: text/plain; charset=us-ascii
> 
> 
> 
> We run our own (freebsd) mail server.  It's a pretty classic, old fashioned 
> /var/mail/username setup.
> 
> We have enabled POP so that certain people can pop their mail from us, and use 
> gmail as their mail client.
> 
> However, we have no other POP users ... and I don't want POP open to the whole 
> world ...
> 
> BUT, I suspect there are a LOT of possible IPs that google will use to pop mail 
> from us ...
> 
> Is there an authoritative list ?
> 
> Anyone else blocking POP access to everyone BUT google ?
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Mon, 2 May 2011 08:18:30 +0200
> From: Patrick Proniewski <patpro at patpro.net>
> Subject: Re: limiting pop access to gmail servers ?
> To: George Sanders <gosand1982 at yahoo.com>
> Cc: freebsd-security at freebsd.org
> Message-ID: <3FF47F45-A59F-4542-A65E-6069300D9224 at patpro.net>
> Content-Type: text/plain; charset="us-ascii"
> 
> Hello,
> 
> On 02 mai 2011, at 00:55, George Sanders wrote:
> 
>> BUT, I suspect there are a LOT of possible IPs that google will use to pop mail 
>> from us ...
> 
> You are right about that. According to my pop logs, my servers have encounter about 1000 different IPs from google (920 actually). 
> Domain names are always like mail-[a-z][a-z][0-9]-[a-z][0-9][0-9]*.google.com
> By the way, I'm in europe, I'm not sure USA, Australia or Japan would see the same gmail POP clients.
> 
>> Is there an authoritative list ?
> 
> I don't know.
> 
>> Anyone else blocking POP access to everyone BUT google ?
> 
> I don't.
> 
> patpro
> 
> ------------------------------
> 
> Message: 3
> Date: Mon, 2 May 2011 12:42:04 +0600
> From: Gleb Kurtsou <gleb.kurtsou at gmail.com>
> Subject: Re: limiting pop access to gmail servers ?
> To: George Sanders <gosand1982 at yahoo.com>
> Cc: freebsd-security at freebsd.org
> Message-ID: <BANLkTikgQM=-d41dCCDPpO-xBHOOy+CEbw at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
> 
> On Mon, May 2, 2011 at 4:55 AM, George Sanders <gosand1982 at yahoo.com> wrote:
>> 
>> 
>> We run our own (freebsd) mail server.  It's a pretty classic, old fashioned
>> /var/mail/username setup.
>> 
>> We have enabled POP so that certain people can pop their mail from us, and use
>> gmail as their mail client.
>> 
>> However, we have no other POP users ... and I don't want POP open to the whole
>> world ...
>> 
>> BUT, I suspect there are a LOT of possible IPs that google will use to pop mail
>> from us ...
>> 
>> Is there an authoritative list ?
>> 
>> Anyone else blocking POP access to everyone BUT google ?
> 
> Didn't try it myself, just a wild guess. Hopefully google pop clients
> use real ssl certificates signed by google to authenticate. Mutual ssl
> authentication is hardly ever used, but still.
> 
> Setup pop over ssl and check for google certificates instead.
> 
> Gleb.
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Mon, 2 May 2011 10:41:59 +0400
> From: cronfy <cronfy at gmail.com>
> Subject: Re: limiting pop access to gmail servers ?
> To: freebsd-security at freebsd.org, gosand1982 at yahoo.com
> Message-ID: <BANLkTikEoddderju8un4jRouVWDBvPPZ8g at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
> 
> Hi,
> 
>> BUT, I suspect there are a LOT of possible IPs that google will use to pop
>> mail
>>> from us ...
>> 
>> You are right about that. According to my pop logs, my servers have
>> encounter about 1000 different IPs from google (920 actually).
>> Domain names are always like mail-[a-z][a-z][0-9]-[a-z][0-9][0-9]*.
>> google.com
>> By the way, I'm in europe, I'm not sure USA, Australia or Japan would see
>> the same gmail POP clients.
>> 
> 
> 
> You can make active checks for incoming connections. If reverse DNS record
> is valid (ip -> resolves to name -> resolves to same ip) and it matches '.*
> google.com$' regexp, then it is Google.
> 
> 
> -- 
> Олег Петрачев
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Mon, 2 May 2011 17:23:07 +1000 (EST)
> From: freebsd-lists at albury.net.au
> Subject: Re: limiting pop access to gmail servers ?
> To: George Sanders <gosand1982 at yahoo.com>
> Cc: freebsd-security at freebsd.org
> Message-ID: <20110502171811.Y39066 at ali-syd-1.albury.net.au>
> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
> 
> 
> 
>> We have enabled POP so that certain people can pop their mail from us, and use
>> gmail as their mail client.
>> 
>> However, we have no other POP users ... and I don't want POP open to the whole
>> world ...
>> 
>> BUT, I suspect there are a LOT of possible IPs that google will use to pop mail
>> from us ...
> 
> 
> While not a "strong" solution, out-of-the box, I'd suggest in 
> /etc/hosts.allow (probably after the "paranoid" line to make inetd check 
> fwd/reverse match)
> 
> ALL : PARANOID : RFC931 20 : deny
> 
> assuming you use qpopper (change as required)
> 
> qpopper : .google.com : allow
> qpopper : x.x.x.0/255.255.255.0 : allow       (your directly-connected users)
> qpopper : all : deny
> 
> 
> RossW
> 
> 
> ------------------------------
> 
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
> 
> End of freebsd-security Digest, Vol 371, Issue 1
> ************************************************

More information about the freebsd-security mailing list